Bizarre SiriusXM code flaw accused of unlocking smart vehicles

Smart Car
(Image credit: 123RF)

UPDATE: A spokesperson for SiriusXM Connected Vehicle Services has told TechRadar Pro that the flaw was reported through its bug bounty program and fixed within 24 hours of the initial report.

A code flaw that could have been exploited to allow criminals access to connected vehicles has now been fixed, according to reports.

The flaw was found in SiriusXM Connected Vehicle Services, a software suite offering a slew of features such as automatic crash notifications, enhanced roadside assistance, remote door unlocking, remote start, stolen vehicle recovery assistance, turn-by-turn navigation and integration with smart home devices.

SiriusXM Connected Vehicle Services is used by a large number of automakers, including Honda, Nissan, Infiniti, and Acura, all of which were vulnerable. 

VIN for authorization

The flaw was made public by Yuga Labs security researcher Sam Curry, who has a history in finding security flaws in automobiles. In a Twitter thread, Curry explained how the flaw works, and added that SiriusXM already fixed it. 

Apparently, the problem stemmed from the fact that the telematics platform uses the car’s Vehicle Identification Number (VIN), which is often found on the windshield, to authorize commands and grab user profiles.

This means that whoever knows the VIN number can issue a number of commands remotely, from unlocking the doors to starting the engine. 

Responding to the findings in The Register, the company’s spokesperson said SiriusXM was tipped off via its bounty-hunting program

"We take the security of our customers' accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms,” the statement reads. 

“As part of this work, a security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method."

Via: The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Subaru Starlink
Hackers expose serious Subaru security flaws that allow them to remotely start cars
Volkswagen Lane Keep
Over 800,000 electric car owners and drivers may have had private info exposed online
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
Password
Millions of airline customers possibly affected by OAuth security flaw
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does